Google will pay researchers to report information about vulnerabilities in third-party programs

Google has created a new project for funding vulnerability research, Project Zero.

According to Chris Evans, “Researcher Herder” at Google, the objective of Project Zero is to reduce the number of people harmed by zero-day attacks.

Google already has a bug bounty program for its own products. The point of Project Zero is to fund vulnerability research on “any software depended upon by large numbers of people,” according to Evans. In addition to vulnerabilities, Project Zero will research “mitigations, exploitation, program analysis — and anything else that our researchers decide is a worthwhile investment.”

The announcement says Google is hiring outsiders to join in, although it does not explain how researchers can sign up.

Google has established an external database to house the research. The company will report bugs only to the software vendor and release the information only when the vulnerability becomes public, which typically is when the vendor issues a patch for it. Researcher discussions about the vulnerability, including its exploitability, will be public as well as the time it took the vendor to patch (assuming it had been patched yet).

Google researchers already have a large track record of research into other vendors’ software. Microsoft and Apple disclosures often credit Google researchers for reporting vulnerabilities.

There are many third-party research groups, such as HP’s TippingPoint Zero Day Initiative, that work in ways similar to Project Zero, paying third-party researchers to submit bugs in others’ products. Microsoft has a program for research into vulnerabilities in third-party products. It accepts reports from third-party researchers, but doesn’t pay for them.